[magicalhippo]

The only argument that made sense to me was the one that the current APIs makes it quite difficult to reason about what the extension actually does once installed and running.

By dynamically installing rules downloaded from the web a nefarious ad blocker could, for example, not just block ads but also hide certain political content from search results.

By requiring the list of rules to be hard-coded in the extension, it's easier to see what exactly the extension will do once installed.

For me though, this benefit does not outweigh the cost.

[tyingq]

That's an interesting thought, but extensions can still hide, inject, or replace content. They just can't avoid downloading the original by any criteria other than uri patterns.

[magicalhippo]

Sure, but the idea, as I understood it, was that by locking down the APIs such that they can't change behavior post-install, any such patters would be visible on inspection.

For example, extensions are already rejected if they contain minified scripts as that also obfuscates what happens. This could be seen as going one step further.

Again, not endorsing this move.

[tyingq]

Ah, yes. The separate set of manifest v3 proposals that disallow external and/or obfuscated code. Probably a good idea at a high level, but it does break good stuff like TamperMonkey (10 million users...ouch).